Is security slowing things down?

Mary Ursula HerrmannMary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.

In my previous blog entry, I talked about the fact that as technology evolves, so do threats, and so must your IT systems. But an article I read recently suggests that security itself may be the reason for not adopting new technology. Rather, concern about security, and about having the knowledge or skills to secure new technology, is what keeps business owners from adopting it. It’s my personal opinion that the “skills gap” is mostly artificial and exists because employers aren’t willing to train otherwise demonstrably capable people, or hire people who are missing one or two skills. But that aside, from my own experience I’ve seen that the need for security, and the fear that it can’t be correctly implemented, does hold business owners back from adopting new technology, a good example being BYOD. Up until recently, the clearest solution for mobile devices in the workplace was Blackberry/RIM; now that that’s no longer true, expertise on BYOD security is still nascent. Another example is when an enterprise is so large, and its need for security so stringent, that even noncritical system patching is something that can be delayed for one or more months while the “new technology” is tested to make sure it doesn’t change something that shouldn’t be changed or in a way that it shouldn’t be changed. Adoption of actual new technologies (cloud, BYOD, and so on) can therefore come years after many other businesses have started using them.The solution here, I believe, is to automate testing of patches and other system changes so that they can be applied more quickly, which will also eventually speed up adoption of new technology. While new technologies - social media, BYOD, cloud storage/services, for example - are often viewed as potential security pitfalls, in some cases they can actually be ways to tighten security measures. For example, theoretically, BYOD could be a boon securitywise to an organization that has a need for its employees to use mobile devices, because adopting it wholeheartedly and with the correct management techniques would be better that the piecemeal adoption that may be happening without anybody really thinking it through. Cloud storage may actually prove to be more secure than in-house storage, as long as your cloud vendor is following certain precepts. And so on. Obviously I am not advocating taking security lightly, or proposing that the solution to the problem of adopting new technologies is an easy one. But I see a lot of my colleagues, especially those who work for large, slow-to-adopt enterprises, saying things like “this will never happen” or “this is just a bad idea” with regard to technologies like BYOD and cloud, and I think that they need to take another look rather than being dismissive. Security shouldn’t be a reason not to adopt something new, especially when that new technology makes working easier.

Morning Roundup

Business headlines from Crain's Cleveland Business and other Ohio newspapers — delivered FREE to your inbox every morning. Sign up for the Morning Newsletter.